In 2020, 113 federal, state and municipal governments and agencies were affected by ransomware attacks, according to a recent report from Emsisoft’s Malware Lab. Those attacks caused “significant, and sometimes life-threatening, disruptions” including interruptions to 9-1-1 services. Additionally, in 2020, cyber criminals incorporated the theft of highly valuable or sensitive information into their tactics, alongside ransomware deployments. The outlook for ransomware in 2021 looks equally grim.
Since it’s difficult (and in some cases, impossible) to break ransomware encryption, and since sensitive files often contain irreplaceable information, organizations often end up paying the ransom. Many may not believe they have a choice.
However, paying the ransom is a risky proposition. There are no guarantees that a decryption key will be provided after the crooks get their money. The FBI would prefer that you do not pay. There are no guarantees that a decryption key will be provided after the crooks get their money. Additionally, your information may have been sold to an underground market and there’s really no way to tell unless you are monitoring them. There’s no honor among thieves after all.
So, what can you do to prevent or lessen the damage and cost of ransomware attacks?
Security Controls Can Mitigate the Damage
Security controls are one way to improve overall security and lessen your organizational risk. You can rely on these same controls to limit your ransomware risk. For instance, you can lower your exposure to ransomware by employing specific controls found in the National Institute for Standards and Technology (NIST) Security and Privacy Controls for Information Systems and Organizations.
In addition, since ransomware usually gets into systems through email attachments and compromised websites, user awareness plays a critical part in prevention. By adhering to the NIST Awareness and Training (AT) family of controls, your employees and contractors can better understand the risks and key prevention steps. If you apply and enforce the AT-2 control, you not only provide basic security training, but also prevent the spread of malicious malware in the first place.
Most malware preys on unsuspecting users by injecting a malicious payload or file download. Attackers create emails and websites that look legitimate to lure people to click on a link or an attachment. Once they click, attackers can get access to the network. Users need to be aware of this, along with other new and emerging ransomware tactics.
Other important controls you should implement include modern endpoint detection and response (EDR) solutions to replace or support traditional antivirus, and – as always – keeping up-to-date with patches for your systems and software.
Restrict and Manage Administrative Rights
Controls that ensure antivirus programs are updated and patches are applied across your network are critical in preventing ransomware. After all, even the most aware users can still be influenced by crafty criminals to give up a password, whether they click on a link or divulge that information over the phone. By running well-patched applications and current antivirus software (and frequently scanning to make sure these patches and software are up to date), you can prevent the delivery of ransomware payloads even if credentials are stolen.
Similarly, using controls that restrict and manage user administrative rights can keep cyber criminals at bay. These attackers typically leverage elevated privileges to gain permission to install their malware and open sensitive files. NIST provides guidance for reducing the risk of these powerful accounts.
For example, Access Control (AC-6) describes the concept of “least privilege,” allowing only authorized access for users which are necessary to accomplish assigned tasks. By restricting access to special users, you can significantly deter an attacker from installing ransomware software and gaining privileged access across the network. You can also prevent them from locking critical files.
Ultimately, criminals may get to the front desk of your network, so to speak, but if you implement the AT-2 and AC-6 controls, you can keep them waiting in the foyer.
With the impact of ransomware so debilitating—loss of critical information, loss of productivity, ransom costs, reputational damage—the effort to prevent and recover from ransomware is well worth it. However, it doesn’t have to be difficult or expensive.
Basic adherence to tried and true security controls may not prevent all ransomware. However, strict adherence to a comprehensive control methodology, and frequent monitoring of their effectiveness, can reduce the likelihood of a successful ransom campaign against your organization through the rest of 2021 and beyond.